CWE-323
AllowedReusing a Nonce, Key Pair in Encryption
Abstraction: Base · Status: Incomplete
Nonces should be used for the present occasion and only once.
78 vulnerabilities reference this CWE, most recent first.
GHSA-VGQJ-4JHR-3WH5
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.
{
"affected": [],
"aliases": [
"CVE-2026-56369"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:31Z",
"severity": "MODERATE"
},
"details": "ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.",
"id": "GHSA-vgqj-4jhr-3wh5",
"modified": "2026-07-01T00:34:14Z",
"published": "2026-07-01T00:34:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qv2q-c278-pch5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56369"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/imagemagick-information-disclosure-via-aes-ctr-nonce-reuse-in-passkeyencipherimage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VGV9-MV66-MPC7
Vulnerability from github – Published: 2026-04-09 21:31 – Updated: 2026-04-29 18:31In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
{
"affected": [],
"aliases": [
"CVE-2026-5446"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T21:16:12Z",
"severity": "MODERATE"
},
"details": "In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.",
"id": "GHSA-vgv9-mv66-mpc7",
"modified": "2026-04-29T18:31:31Z",
"published": "2026-04-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5446"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/10111"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W3HJ-WR2Q-X83G
Vulnerability from github – Published: 2021-04-06 17:22 – Updated: 2025-12-02 01:28Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node private key is not compromised, only the session key generated to communicate with an individual peer.
From discovery spec:
The number of messages which can be encrypted with a certain session key is limited because encryption of each message requires a unique nonce for AES-GCM. In addition to the keys, the session cache must also keep track of the count of outgoing messages to ensure the uniqueness of nonce values. Since the wire protocol uses 96 bit AES-GCM nonces, it is strongly recommended to generate them by encoding the current outgoing message count into the first 32 bits of the nonce and filling the remaining 64 bits with random data generated by a cryptographically secure random number generator.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "tech.pegasys.discovery:discovery"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23688"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-30T17:04:34Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node private key is not compromised, only the session key generated to communicate with an individual peer.\n\nFrom [discovery spec](https://github.com/ethereum/devp2p/blob/f97b8a5b8e9589d3355ebbd9d4a58d5d1644bdf7/discv5/discv5-theory.md#session-cache):\n\u003e The number of messages which can be encrypted with a certain session key is limited because encryption of each message requires a unique nonce for AES-GCM. In addition to the keys, the session cache must also keep track of the count of outgoing messages to ensure the uniqueness of nonce values. Since the wire protocol uses 96 bit AES-GCM nonces, it is strongly recommended to generate them by encoding the current outgoing message count into the first 32 bits of the nonce and filling the remaining 64 bits with random data generated by a cryptographically secure random number generator.",
"id": "GHSA-w3hj-wr2q-x83g",
"modified": "2025-12-02T01:28:16Z",
"published": "2021-04-06T17:22:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23688"
},
{
"type": "PACKAGE",
"url": "https://github.com/ConsenSys/discovery"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Discovery uses the same AES/GCM Nonce throughout the session"
}
GHSA-W75V-7C2J-X3QX
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31Cryptographic issue may occur while encrypting license data.
{
"affected": [],
"aliases": [
"CVE-2025-47345"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:17:04Z",
"severity": "HIGH"
},
"details": "Cryptographic issue may occur while encrypting license data.",
"id": "GHSA-w75v-7c2j-x3qx",
"modified": "2026-01-07T12:31:24Z",
"published": "2026-01-07T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47345"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WF34-HX5V-VQ6Q
Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between client and server.
{
"affected": [],
"aliases": [
"CVE-2025-46632"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T20:15:39Z",
"severity": "MODERATE"
},
"details": "Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between client and server.",
"id": "GHSA-wf34-hx5v-vq6q",
"modified": "2025-05-02T15:31:46Z",
"published": "2025-05-02T15:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46632"
},
{
"type": "WEB",
"url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46632-static-iv-use-in-httpd"
},
{
"type": "WEB",
"url": "https://www.tendacn.com/us/default.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP4M-7HPJ-8QP8
Vulnerability from github – Published: 2024-01-20 00:30 – Updated: 2025-12-02 00:28Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-w3hj-wr2q-x83g. This link is maintained to preserve external references.
Original Description
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "tech.pegasys.discovery:discovery"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T00:28:45Z",
"nvd_published_at": "2024-01-19T22:15:08Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-w3hj-wr2q-x83g. This link is maintained to preserve external references.\n\n### Original Description\nConsensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node\u0027s private key isn\u0027t compromised, only the session key generated for specific peer communication is exposed.",
"id": "GHSA-wp4m-7hpj-8qp8",
"modified": "2025-12-02T00:28:45Z",
"published": "2024-01-20T00:30:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23688"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-w3hj-wr2q-x83g"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Discovery uses the same AES/GCM Nonce throughout the session",
"withdrawn": "2025-12-02T00:28:45Z"
}
GHSA-X72P-G37Q-4XR9
Vulnerability from github – Published: 2024-07-22 09:31 – Updated: 2024-07-31 18:42Withdrawn: The attack vector described in the backing report required that an attacker gain access to a user's session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.
~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/drakkan/sftpgo/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40430"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-22T18:46:59Z",
"nvd_published_at": "2024-07-22T07:15:02Z",
"severity": "MODERATE"
},
"details": "Withdrawn:\nThe attack vector described in the backing report required that an attacker gain access to a user\u0027s session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.\n\n~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~",
"id": "GHSA-x72p-g37q-4xr9",
"modified": "2024-07-31T18:42:56Z",
"published": "2024-07-22T09:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40430"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/4645"
},
{
"type": "WEB",
"url": "https://alexsecurity.rocks/posts/cve-2024-40430"
},
{
"type": "PACKAGE",
"url": "https://github.com/drakkan/sftpgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn: SFTPGo\u0027s JWT implmentation lacks certain security measures",
"withdrawn": "2024-07-31T18:42:56Z"
}
GHSA-XR5H-PHRJ-8VXV
Vulnerability from github – Published: 2026-05-13 01:36 – Updated: 2026-05-14 20:38Impact
Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa.
Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications that meet all of the following conditions:
- The application uses server islands
- Two different server island components share the same key name for a prop and a slot
- An attacker has full control over the value of the overlapping prop (requires a dynamically rendered page)
These conditions are very unlikely to occur in real-world production applications.
Patches
This has been patched in astro@6.1.10.
The fix binds each encrypted parameter to its target component and purpose using AES-GCM authenticated additional data (AAD). Each ciphertext now includes context like props:IslandName or slots:IslandName, so encrypted data for one component cannot be replayed against a different component, and encrypted props cannot be reused as slots.
References
- Fix PR: https://github.com/withastro/astro/pull/16457
- Example demonstrating the vulnerability: https://github.com/CyberSecurityAustria/ACSC2026-web-astronomical
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45028"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T01:36:39Z",
"nvd_published_at": "2026-05-13T16:17:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nAstro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component\u0027s encrypted props (`p`) value as another component\u0027s slots (`s`) value, or vice versa.\n\nSince slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications that meet **all** of the following conditions:\n\n- The application uses server islands\n- Two different server island components share the same key name for a prop and a slot\n- An attacker has full control over the value of the overlapping prop (requires a dynamically rendered page)\n\nThese conditions are very unlikely to occur in real-world production applications.\n\n### Patches\n\nThis has been patched in **astro@6.1.10**.\n\nThe fix binds each encrypted parameter to its target component and purpose using AES-GCM authenticated additional data (AAD). Each ciphertext now includes context like `props:IslandName` or `slots:IslandName`, so encrypted data for one component cannot be replayed against a different component, and encrypted props cannot be reused as slots.\n\n### References\n\n- Fix PR: https://github.com/withastro/astro/pull/16457\n- Example demonstrating the vulnerability: https://github.com/CyberSecurityAustria/ACSC2026-web-astronomical",
"id": "GHSA-xr5h-phrj-8vxv",
"modified": "2026-05-14T20:38:54Z",
"published": "2026-05-13T01:36:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xr5h-phrj-8vxv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45028"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/pull/16457"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/3d82220a1549e699e34ed433f3846a919f4c02bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Astro: Server island encrypted parameters vulnerable to cross-component replay"
}
Mitigation
Refuse to reuse nonce values.
Mitigation
Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.
No CAPEC attack patterns related to this CWE.